How can we help?




Follow

how to configure certificates for HTTPS, IMAP, POP3, and SMTP

Shaun Alberts -

Problem

The pre-installed self-signed certificates are not trusted by the browser.  Where do I add my own trusted certificates?  

Solution

A new certificate will need to be generated or purchased.  The same certificate can be used for IMAP, POP, HTTPS, and SMTP.  Please save this certificate on the server and follow this guide to configure the appropriate applications to use the new certificate.  For the sake of this guide, we will assume that the new key is called new_cert.key and new_cert.pem

Nginx certificate setup (webmail)

  1. Open the nginx config file. 
    vi /etc/nginx/conf.d/atmail.conf 
    The default config should look similar to this.
    server {
    
            listen 443 http2 ssl;
    
            server_name _;
    
            error_log /var/log/nginx/atmail_error;
            access_log /var/log/nginx/atmail_access;
    
            gzip on;
            gzip_types text/plain application/xml application/json application/javascript text/css;
    
            ssl_certificate_key  /etc/pki/nginx/private/atmail.key;
            ssl_certificate      /etc/pki/nginx/certs/atmail.pem;
    #       ssl_trusted_certificate /etc/pki/nginx/certs/letsencrypt_ca.pem;
    ...
  2. Place the new certificate key for nginx in the /etc/pki/nginx/private and change its ownership:
    # chown root:nginx /etc/pki/nginx/private/new_cert.key
  3. Now change its permissions.
    # chmod 0640 /etc/pki/nginx/private/new_cert.key
  4. Place the new certificate pem file in the /etc/pki/nginx/certs directory and change its ownership:
    # chown root:root /etc/pki/nginx/certs/new_cert.pem
  5. Now change its permissions.
    # chmod 0444 /etc/pki/nginx/certs/new_cert.pem
  6. Edit the the ssl_certificate_key and ssl_certificate to point to your certificates.
    ssl_certificate_key /etc/pki/nginx/private/new_cert.key; 
    ssl_certificate /etc/pki/nginx/certs/new_cert.pem;
  7. Restart nginx and apiserver.
    systemctl restart nginx aipserver

 IMAP/POP setup

  1. Place the new certificate key for dovecot in the /etc/pki/dovecot/private directory and change its ownership:
    # chown root:root /etc/pki/dovecot/private/new_cert.key
  2.  Now change its permissions.
    # chmod 0640 /etc/pki/dovecot/private/new_cert.key
  3. Place the new certificate pem file for dovecot in the /etc/pki/dovecot/certs directory and change its ownership.
    # chown root:root /etc/pki/dovecot/certs/new_cert.pem
  4. Now change its permissions.
    # chmod 0444 /etc/pki/dovecot/certs/new_cert.pem
  5. In the admin portal, navigate to Services -> POP3/IMAP and add the paths to the certificate and key file.
    dovecot_cert_setup.png
  6. Publish the changes.

SMTP setup

  1. Make a private and certs directory in the exim directory,
    # mkdir /etc/pki/exim/private /etc/pki/exim/certs
  2. Place the new certificate key for exim in the /etc/pki/exim/private directory and change its ownership.
    # chmod root:exim /etc/pki/exim/private/new_cert.key
  3. Now change its permissions.
    # chmod 0640 /etc/pki/exim/private/new_cert.key
  4. Place the new certificate pem for exim in the /etc/pki/exim/certs directory and change its ownership.
    chmod root:root /etc/pki/exim/certs/new_cert.pem
  5. Now change its ownership.
    # chmod 0444 /etc/pki/exim/certs/new_cert.pem
  6. In the admin portal, navigate to Services -> SMTP and add the paths to the certificate and key file
    exim_cert_setup.png
  7. Publish the changes
Have more questions? Submit a request

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com